Security for diverse computing systems

ABSTRACT

A security mechanism, e.g., a computing system, security server, can effectively serve as a centralized security mechanism, e.g., a computing system, security server, for an ecosystem that can include diverse clients and servers. The security mechanism can obtain redirected requests for services, authenticate credentials of a client and generate a (client-side) token that can be provided by the client to the server for verification of the identity of the client. The security mechanism can also obtain a token from a server that can be similar to a (client-side) token provided to a client and then generate a (server-side) token that can be provided to a server. The server-side token can include authorization information that allows access to one or more services of one or more other servers.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority under 35 U.S.C. § 119(e) to thefollowing co-pending and commonly-assigned patent application, which isincorporated herein by reference: Provisional Patent Application Ser.No. 62/611,284, entitled “SECURITY FOR DIVERSE COMPUTING ENVIRONMENTS,”filed on Dec. 28, 2017, by Vikkal Gupta and Ram Prasad Reddy.

BACKGROUND

In the context of computing environments and systems, data can generallyencompass all forms of information storable in a computer readablemedium (e.g., memory, hard disk). Data, and in particular, one or moreinstances of data can also be referred to as data object(s). As isgenerally known in the art, a data object can, for example, be an actualinstance of data, a class, a type, or a particular form of data, and soon.

Generally, one important aspect of computing and computing systems isstorage of data. Today, there is an ever increasing need to managestorage of data in computing environments. Databases provide a very goodexample of a computing environment or system where the storage of datacan be crucial. As such, to provide an example, databases are discussedbelow in greater detail.

The term database can also refer to a collection of data and/or datastructures typically stored in a digital form. Data can be stored in adatabase for various reasons and to serve various entities or “users.”Generally, data stored in the database can be used by one or more of the“database users.” A user of a database can, for example, be a person, adatabase administrator, a computer application designed to interact witha database, etc. A very simple database or database system can, forexample, be provided on a Personal Computer (PC) by storing data, e.g.,contact information, on a Hard Disk and executing a computer programthat allows access to the data. The executable computer program can bereferred to as a database program, or a database management program. Theexecutable computer program can, for example, retrieve and display data,e.g., a list of names with their phone numbers, based on a requestsubmitted by a person, e.g., show me the phone numbers of all my friendsin Ohio.

Generally, database systems are much more complex than the example notedabove. In addition, databases have been evolved over the years and areused in various business and organizations, e.g., banks, retail stores,governmental agencies, universities. Today, databases can be verycomplex. Some databases can support several users simultaneously andallow them to make very complex queries, e.g., give me the names of allcustomers under the age of thirty-five (35) in Ohio that have bought allthe items in a given list of items in the past month and also havebought a ticket for a baseball game and purchased a baseball hat in thepast 10 years.

Typically, a Database Manager (DBM) or a Database Management System(DBMS) is provided for relatively large and/or complex databases. Asknown in the art, a DBMS can effectively manage the database or datastored in a database and serve as an interface for the users of thedatabase. For example, a DBMS can be provided as an executable computerprogram (or software) product as is also known in the art.

It should also be noted that a database can be organized in accordancewith a Data Model. Some notable Data Models include a Relational Model,an Entity-relationship model, and an Object Model. The design andmaintenance of a complex database can require highly specializedknowledge and skills by database application programmers, DBMSdevelopers/programmers, database administrators (DBAs), etc. To assistin design and maintenance of a complex database, various tools can beprovided, either as part of the DBMS or as free-standing (stand-alone)software products. These tools can include specialized Databaselanguages, e.g., Data Description Languages, Data ManipulationLanguages, Query Languages. Database languages can be specific to onedata model or to one DBMS type. One widely supported language isStructured Query Language (SQL) developed, by in large, for RelationalModel and can combine the roles of Data Description Language, DataManipulation Language, and a Query Language.

Today, databases have become prevalent in virtually all aspects ofbusiness and personal life. Moreover, usage of various forms ofdatabases is likely to continue to grow even more rapidly and widelyacross all aspects of commerce, social and personal activities.Generally, database systems can be very large and extremely complex,partly in order to support an ever increasing need to store data andanalyze data. Typically, larger databases are used by largerorganizations, larger user communities, or device populations. Largerdatabases can be supported by relatively larger capacities, includingcomputing capacity, e.g., processor and memory, to allow them to performmany tasks and/or complex tasks effectively at the same time (or inparallel). On the other hand, smaller databases systems are alsoavailable today and can be used by smaller organizations. In contrast tolarger databases, smaller databases can operate with less capacity.

A current popular type of database is the relational database with aRelational Database Management System (RDBMS), which can includerelational tables (also referred to as relations) made up of rows andcolumns (also referred to as tuples and attributes). In a relationaldatabase, each row represents an occurrence of an entity defined by atable, with an entity, for example, being a person, place, thing, oranother object about which the table includes information.

One important objective of databases, and in particular, a DBMS, is tooptimize the performance of queries for access and manipulation of datastored in the database. Given a target environment, an “optimal” queryplan can be selected as the best option by a database optimizer (oroptimizer). Ideally, an optimal query plan is a plan with the lowestcost (e.g., lowest response time, lowest CPU and/or I/O processing cost,lowest network processing cost). The response time can be the amount oftime it takes to complete the execution of a database operation,including a database request (e.g., a database query) in a given system.In this context, a “workload” can be a set of requests, which mayinclude queries or utilities, such as, load that have some commoncharacteristics, such as, for example, application, source of request,type of query, priority, response time goals, etc.

Today, database systems with multiple processing nodes can be veryeffective for storing and processing data. For example, in a multi-nodedatabase system, each node can be provided with one or more processingunits. A processing unit in a node can be provided with one or morephysical processors that each support one or more virtual processors.Each node of a multi-node database system can, for example, have its ownstorage for storing data of the database. Generally, data stored in adatabase can be assigned for storage and/or processing to a processingunit or to a node of the database system. Ideally, data should bedistrusted between the nodes and/or processing units in an effectivemanner and database queries should be processed in a manner that wouldallow effective use of all of the nodes and/or processing units of themulti-node database system to extend possible or needed.

A more recent development is emergence of increasingly more diversecomputing environments. By way of example, an ecosystem can providevarious servers including, database server, analytical platforms,replication servers, and various micro services. Today, echo systems caninclude a wide variety of clients and diverse servers provided by a widevariety of servers. It is also anticipated that eco systems will becomeeven more diverse in the near future. One important aspect of these ecosystems is security. Typically, security includes verification of theentities that typically request services as well authorization of theservices to them.

In view of relevance of computing systems that provide services, and anemergence of eco systems that are becoming increasing more diverse, itis apparent that security techniques for eco system are useful.

SUMMARY

Broadly speaking, techniques for computing environments are disclosed.More particularly, security techniques and security systems forcomputing environments and systems are disclosed. The securitytechniques are especially suited for diverse computing environments,e.g., eco systems.

In accordance with one aspect, a security mechanism can be provided in acomputing system that may include various clients and server thatprovide services that can be made available to the clients. The securitymechanism, e.g., a computing system, security server, can effectivelyserve as a centralized security mechanism, e.g., a computing system,security server, for an ecosystem that can include diverse clients andservers.

In accordance with another aspect, the security mechanism can obtainredirected requests for services (service requests) that are initiallymade clients to the servers. In response to a redirected servicerequest, the security system can then authenticate credentials of aclient and generate a token (as a client-side token) that can beprovided to the client that can, in turn, provide the client-side tokento the server as a form of verification of the client's identity.

In accordance with yet another aspect, the security mechanism can obtaina token from a server. The token can be generated at least partly basedon the client-side token originally generated by the security mechanismand provided to a client, e.g., a client-side token provided to a clientand received by the server and is digitally signed by the server. Thesecurity mechanism can then generate another token (as a server-sidetoken) and provide it to the server. The server-side token can includeauthorization information that allows access to one or more services ofone or more other servers.

Other aspects and advantages of the invention will become apparent fromthe following detailed description, taken in conjunction with theaccompanying drawings, illustrating by way of example the principles ofthe invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be readily understood by the followingdetailed description in conjunction with the accompanying drawings,wherein like reference numerals designate like structural elements, andin which:

FIG. 1 depicts a computing environment representative of an ecosystem inaccordance with one embodiment.

FIG. 2 depicts a centralized security service in accordance with oneembodiment of the invention.

FIG. 3 depicts an access token in accordance with one exemplaryembodiment of the invention.

FIG. 4 depicts an authorization token that includes a header and apayload 404 in accordance with one embodiment.

FIG. 5 depicts a service making request for credentials of an externalservice in accordance with one exemplary embodiment.

FIG. 6 depicts a service for requesting credentials of external servicein accordance with another exemplary embodiment.

FIG. 7 depicts a security method for providing security in a computingenvironment in accordance with one embodiment.

FIG. 8 depicts a security method for providing security in a computingenvironment in accordance with one embodiment.

DETAILED DESCRIPTION

As noted in the background section, a more recent development incomputing environments is the emergence of eco systems. Today, ecosystems are diverse and are becoming even more diverse. By way ofexample, an ecosystem can include various servers including, databaseserver, analytical platforms, replication servers, various microservices. It is also anticipated that are even more diverse forms willbe added in the near future resulting in even more diverse eco systems.One important aspect of these eco systems is security that typicallyincludes verification of entities that typically request services andauthorization of services for them.

In view of prevalence of computing environments and verificationtechniques needed to support them, especially for computing environmentsthat provide services in increasingly more diverse environments, it isapparent that improved security techniques would be useful.

Today, it is desirable to provide a collaborative environment for ecosystems. However, as the eco systems are become more and more diverse,it is becoming even more difficult to provide collaborativeenvironments. One increasing more difficult problem is security by wayof verification of various entities and authorization of access tovarious services available in environments with increasing more diverseclients and service providers (servers) are available and are likely tobecome available, e.g., ecosystems, where collaboration is highlydesirable but is becoming increasing more challenging to provide in asecure manner as the environment become more and more diverse.

Conventionally, each of the servers in an ecosystem needs to beseparately configured for security (verifications) that includesauthentication of the entities and authorization of access to services.This conventional approach can require a significant amount of work andcould create confusion between various development environments thatprovide and/or use these services. Furthermore, for virtually any newsecurity feature, each development team of each service has tounderstand and develop them. However, separate development teams mayinterpret the requirements in different ways and implement them indifferent ways, leading to inconsistencies and/or confusion.

In view of the foregoing, improved security techniques are needed andwould be highly useful, especially for diverse computing environmentsand systems, e.g., ecosystems, that encompass increasingly more diverseproviders and services. It will be appreciated that improved securitytechniques can be provided that are especially suited for diversecomputing environments and systems.

In accordance with one aspect, a security mechanism can be provided in acomputing system that may include various clients and server thatprovide services that can be made available to the clients. The securitymechanism, e.g., a computing system, security server, can effectivelyserve as a centralized security mechanism, e.g., a computing system,security server, for an ecosystem that can include diverse clients andservers.

In accordance with another aspect, the security mechanism can obtainredirected requests for services (service requests) that are initiallymade clients to the servers. In response to a redirected servicerequest, the security system can then authenticate credentials of aclient and generate a token (as a client-side token) that can beprovided to the client that can, in turn, provide the client-side tokento the server as a form of verification of the client's identity.

In accordance with yet another aspect, the security mechanism can obtaina token from a server. The token can be generated at least partly basedon the client-side token originally generated by the security mechanismand provided to a client, e.g., a client-side token provided to a clientand received by the server and is digitally signed by the server. Thesecurity mechanism can then generate another token (as a server-sidetoken) and provide it to the server. The server-side token can includeauthorization information that allows access to one or more services ofone or more other servers.

Embodiments of these aspects of the invention are also discussed belowwith reference to FIGS. 1-8. However, those skilled in the art willreadily appreciate that the detailed description given herein withrespect to these figures is for explanatory purposes as the inventionextends beyond these limited embodiments.

FIG. 1 depicts a computing environment 100 representative of anecosystem in accordance with one embodiment. Referring to FIG. 1, asecurity system 102 can effectively function as a centralized securitysystem for the computing environment 100 representative that includesserver A and server B and a client A. The security system 102 can obtain(e.g., receive, identify, determine) a redirected request for service(or service request) 104 b from the server A. Typically, the redirectedservice request 104 b is initiated by the client A and sent to server Aas an initial service request 104 a. In other words, the security system102 can receive the service request 104 a as a redirected servicerequest 104 b from the server A.

Thereafter, the security system 102 can effectively initiateverification of client A (the originator of the service request). Indoing so, the security system 102 can at least obtain (e.g., receive,determine, identify) authentication credentials 106 of the client A inorder to verify the client A. For example, the authenticationcredentials 106 of the client A can be provided by the client A directlyto the security system 102 as result of a request initiated by thesecurity system 102 and sent directly to the client A. Alternatively,the security system 102 can receive the authentication credentials 106of the client A from the server A or elsewhere.

Typically, the authentication credentials 106 of the client A can beprovided by the client A directly to the security system 102. In anycase, after the security system 102 obtains authentication credentials106 of the client A, it can attempt to verify the credentials 106 of theclient A. If the security system 102 cannot successfully verify thecredentials 106 of the client A, it can effectively cause the servicerequest 104A to be denied, for example, by communicating anauthentication failure message via the server A and/or client A.However, if the security system 102 can successfully verify thecredentials 106 of the client A, it can proceed to generate an accesstoken 108 to effectively facilitate processing of the service request104A for the client A. The security system 102 can generate the accesstoken 108 at last partly based on the authentication credentials 106 ofthe client A. As such, the access token 108 can include authenticationinformation of and/or associated with the client A.

Moreover, the access token 108 can be provided to the client A, forexample, by the security system 102, allowing client A to use the accesstoken 108 to effectively verify itself. For example, the security system102 can send the access token 108 to the client A, after it generatesthe access token 108. Then, client A can present to access token 108 tothe server A to effectively show that it has been successfully verifiedby the security system 102. Similarly, the security system 102 canverify another client, namely client B, for the same sever, namelyserver A and/or another server, namely server B, as well as otherclients and servers (not shown in FIG. 1) that can be present in adiverse computing environment 100 in FIG. 1, e.g. eco systems. As such,the security system 102 can effectively serve as a central securitysystem or entity in a diverse computing environment that include severaldiverse clients and servers.

It should also be noted that security system 102 can also be configuredto obtain (e.g., receive, determine, identify) an access token 110associated with the server A. It will be appreciated that the accesstoken 110 can be made based on the access token 106 that was provided bythe client A to server A. As such, the access token 110 can be similar,if not virtually identical to the access token 108, but it can alsoinclude additional access information, including identity information ofthe server A. Typically, the server access information of the accesstoken 110 can identify server A and indicate that it that has requestedthe services of another server, for example, server B. For example,sever A can obtain the access token 108 that was provided by the clientA and sign it (e.g., sign it by a private key of the server) to allowthe access token 110 to identify the server A.

After the security system 102 obtains the access token 110, it cangenerate an access token (or a server-side access token) 112 for theserver A in order to allow server A to access one or more services ofanother server, namely server B. The security system 102 can generatethe server-side access token 112 with authentication information,allowing access to one or more services of server B. The security system102 can generate the server-side access token 112 in a similar manner asdiscussed above with respect to access token 108 (or a client-sidetoken). However, the server-side access token 112 can includeauthentication information allowing server B to effectively use it togain access one or more services of server B.

Those skilled in the art will readily appreciate that the securitysystem 102 can, for example, be provided as computing system or computerthat utilizes one or more physical processors to execute computerprogram code that can be stored in a computer readable medium (e.g.,non-transitory computer readable storage medium, memory). As such, thesecurity system 102 can be provided as or by hardware components and/orsoftware components.

To elaborate further, FIG. 2 depicts a centralized security service (orserver) 200 in accordance with one embodiment. The centralized securityservice 200 represents an exemplary security system 102 in accordancewith one exemplary embodiment. The centralized security service 200 canfacilitate authentication and authorization. For example, initially,client 202 can connect to an analytical server 204 to execute analyticalqueries. Then, the analytical server 204 can connect to the replicationserver 206 configured to two database servers, namely, database server208A and 208B. It should be noted, conventionally, without thecentralized security service 200, each one of the two database servers,namely, database server 208A and 208B would have to configured with userauthentication and authorization.

The client 202 can connect to analytical server 204 in different ways,for example, by using a password-based authentication, e.g., sending anencrypted username/password. As another way, a Single Sign On (SSO),e.g., Kerberos, can be used as those skilled in the art will readilyappreciate. As yet another way, multifactor authentication schemes,e.g., key token, RSA token, or biometric (finger prints, eye scans, facescans) can be used. The analytical server 204 depending on how it isconfigured can either authenticate the client (user) 202 or send arequest the centralized security service 200 for authentication. If theanalytical server 204 is configured to authenticate the client 202 thenit can request an access token from the centralized security service200. However, if the centralized security service 200 is configured forthe authentication in this situation, the analytical server 204 canrequest the access token from the centralized security service 200 byproviding, e.g., sending, its credentials. In either case, theanalytical server 204 can request an access token and the request can besigned, for example, by a private key of the analytical server 204.

Then, the centralized security service 200 can verify and validate therequest and authenticates the client (or user) 202. In doing so, thecentralized security service 200 can, for example, use a SQL DB, e.g.,sqlite, or LDAP based directory, or SSO to authenticate the identity ofthe client (or user) 202. The centralized security service 200 cangenerate an access token that ascertains the identity of the client (oruser) 202. A format for the access token can, for example, be JWT (JSONWeb Token) and can be signed by a private key of the central identitymanager 200. This access token can also include the authorizationinformation for each of the services that the client (or user) 202 toaccess. The access token can be generated and provided to the requester,namely, the analytical server 204 in this example.

The analytical server 204 can validate the access token and the client(or user) 202 can be successfully authenticated. Thereafter, when theanalytical server needs to connect another server, such as, thereplication server 206, it can use the access token in order toestablish a connect. In this example, the replication server 206 cancheck if the client (or user) 202 has been authenticated and has beenauthorized to the access the services of the replication server 206. Itshould be noted that the access token can further be used by thereplication server 206 to connect to the database systems 208.

Access Token Format

As noted above, a centralized security service 200 can be used forauthentication in a diverse computing environment, e.g., an ecosystem. Acentralized security service (CSS) can authenticate users, e.g.,clients, and optionally retrieve authorization information, as well asgenerate a token (or access token) that ascertains the identity of theusers. The format for the access token can, for example, be JWT (e.g.,JSON Web Token) as documented in IETF RFC 7519 and can be signed, forexample, by an CSS private key, as those skilled in the art will readilyappreciate. The access token can optionally include authorizationinformation for each of the services that users are allowed to access.To elaborate further, FIG. 3 depicts an access token 300 in accordancewith one exemplary embodiment.

Referring to FIG. 3, the access token 300 includes a header 302, apayload 304, and a signature 306. In the example, header 302 includesencryption algorithm (alg), token type (typ) and content type (cty).Algorithm is RS256 (RSA using SHA-256 hash algorithm) and an CSS can usetwo content types (authentication and authorization). In the example,Payload 304 includes information regarding the user identity andoptionally information on groups the user belongs to, and services theuser is allowed to access.

Table 1 below provides more information about the payload 304 depictedin FIG. 3.

TABLE 1 jti JWT token unique identifier iss Issuer who issued thistoken. aud Audience. CSS sets it to requester. sub Subject whichidentifies the user. exp Expiration (time). A number (seconds sinceepoch) representing when this token expires. iat Issued at (time) nbfNot before (time) groups (Optional) Groups which user is assigned to.services (Optional) Services which user to allowed to access.

The signature 306 part of the access token 300 (shown in FIG. 3)includes: base64UrlEncode(header)+“.”+base64UrlEncode(payload) signedusing algorithm specified in header part. The Access token can begenerated by converting the three parts using base 64 (URL) encoding andadding “.” to separate each part as shown below:

-   -   Base64UrlEncode(HEADER).Base64UrlEncodc(PAYLOAD).Base64UrlEncode(SIGNATURE)

After the Access token is generated it can be issued to the requestingservice. The unique ID of the access token can be noted in CSS until thetoken is valid or until access token is refreshed or invalidated.

Authorization

A centralized security service(CSS) can also be optionally configuredfor retrieving authorization information for each individual servicethat a user is authorized to access. This authorization information canbe used by services. Moreover, the users can save a significant amountof time during connection establishments. To further elaborate, FIG. 4depicts an authorization token 400 that includes a header 402 and apayload 402 in accordance with one embodiment. In case of anauthorization token, each service entry can include authorizationinformation for each configured service. For example, for “db1” servicetoken includes “roles” and “profile” information assigned, so when db1service gets this token, it can just use this information, therebysaving a significant amount of time during connection establishment.

Interoperability with External Services

In a typical environment the services in an ecosystem, contact toexternal services are needed (e.g., Hadoop, Postgres SQL, Oracle) inorder to complete user (e.g., customer) queries. An CSS can also be usedin this case to provide a complete and secure solution. the CSS caneffectively control access to the external services. Two exemplary waysby which a service can connect to an external service are describedbelow.

Using Credential Based Authentication

A CSS can be configured to save the credentials, e.g., username,password, that can be used to connect to external services. virtuallyany service that needs to connect to external services can contact theCSS and make a request for credentials. FIG. 5 depicts a service makingrequest for credentials of an external service in accordance with oneexemplary embodiment.

Using Kerberos SSO

As another example, a CSS can be also configured to work with Kerberosdelegated credentials, which can be used to connect external servicethrough SSO. Virtually any service that needs to connect to externalservice can contact the CSS and make a request for delegated credentialsof the user. FIG. 6 depicts a service for requesting credentials of anexternal service in accordance with another exemplary embodiment.

Referring to FIG. 6, in the first phase (610) an analytical client runskinit (using −f flag for a “forwardable” ticket) and gets Kerberos TGTfrom Kerberos KDC that is used to get a service ticket for analyticalservice(s) using GSS API, and as part of a connection establishment theservice ticket is forwarded to Analytical server.

Next, in the second phase (620) the analytical server authenticates theservice ticket received from the Analytical client using GSS API andgets the delegated credentials token. Then, the server will request foraccess token from the CSS together with the credentials token in therequest. After checking all the validations required, the CSS issues anaccess token and also saves the delegated credentials token.

Thereafter, in the third phase (630) the analytical service connects tonext service, namely Database DB1 in this example, using the accesstoken. In the fourth (640) phase if Database DB1 wants to connect toexternal service, for example, “Hadoop” using “Kerberos SSO,” itrequests the credential token from the CSS. As a result, the CSS afterchecking whether the user is allowed to access the external service, canreturn the credentials token accordingly if the access is allowed. Inthe fifth (650) phase, the Database DB1 after receiving credentialstoken saves it as credential cache and uses it to get service ticket forexternal service (in this a Hadoop). Finally, in the sixth (660) phase,the Database DB1 connects to Hadoop using Kerberos SSO.

To elaborate even further, FIG. 7 depicts a security method 700 forproviding security in a computing environment in accordance with oneembodiment. It should be noted that the computing environment includesat least one client and at least one server configured to provide one ormore services. The computer-implemented method 700 can, for example, beimplemented at least partially by one or more physical processersconfigured to process executable computer code that can be stored in anon-transitory computer readable storage medium. The security method 700can, for example, be implemented by the security system 102 (shown inFIG. 1).

Referring to FIG. 7, initially, a redirected request for service isobtained (702). The redirected request for service is an initial requestfor service made by the client to the sever for one or more services ofthe server. Next, at least authentication credentials of the client areobtained (704). The authentication includes information associated withthe client and indicates that the identity of the client has beenverified. Thereafter, a token is generated (706) based at least on theauthentication credentials of the client. The token includesauthentication information associated with the client and indicates thatthe identity of the client has been verified. The token is provided(708) to the client, thereby allowing the client to send the first tokento the server to indicate that the identity of the client has beenverified. Security method 700 ends after the token is provided (708) tothe client.

Although not shown in FIG. 7, the identity of the client can be verifiedbased on the obtained authentication credentials of the client. Inaddition, authentication credentials from the client can be requestedand the send the first token to the client. It should also be noted thatthe server can, for example, be a database server configured to provideaccess to one database services of a database.

To elaborate even further, FIG. 8 depicts a security method 800 forproviding security in a computing environment in accordance with oneembodiment. It should be noted that the computing environment caninclude at least one client and two or more servers each configured toprovide one or more services. The security method 800 can, for example,be implemented at least partially by one or more physical processorsconfigured to process executable computer code that can be stored in anon-transitory computer readable storage medium. The security method 800can, for example, be implemented by the security system 102 (shown inFIG. 1). Referring to FIG. 8, initially, a token is obtained (802). Itshould be noted that the token has been provided by the server andrequests access to one or more services of one or more other servers inthe computing environment. The token can include verificationinformation of at least one client and it can identify that the serverthat provided that token. Typically, this token is generated based on atoken that was provided by the client to server in order to authenticatethe client. Thereafter, another token is generated (804) that includesauthorization information allowing the server access to one or moreother services from one or more other servers, thereby allowing theserver to send the generated token to the one or more other servers toindicate that it has been authorized to access the one or more otherservices from one or more other servers. The method 800 ends after thetoken is generated (804). It should be noted that security methods 700and 800 can be combined and implemented together by a single entity(e.g., security system 102).

In view of the foregoing, it will be appreciated that centralizedsecurity service can address various issues. One issue is that differentusers can be configured in relation to different services, but they canbe used as part of the same service request. Services may be able tostore authentication information, e.g., user/password, for connecting tonext service. Virtually, all services can use the same type ofauthentication mechanisms, e.g., password based, LDAP, Kerberos, but canstill operate separately. Although, it may possible to use Kerberos forsolving some of the issues, it may not be feasible and/or desirable todo so at least for some environments, e.g., cross realms environments,cloud environments. Kerberos can be used by virtually all the servicesthe credentials are saved and moved as desired. However, this approachmay leave some security concerns. Instead, the centralized securityservice can be used to allow delegation for accessing the next service.

Furthermore, conventionally, each server has to be separately configuredfor authorization and a change in security policy of an organization canrequire a significant amount of time and resources but still securityholes can be created as a result of making the change. For virtually anynew security feature, each development team of each service has tounderstand and develop them, but two development teams may interpret therequirements in different ways and implement them in different ways,leading to inconsistencies and/or confusion.

Generally, various aspects, features, embodiments or implementations ofthe invention described above can be used alone or in variouscombinations. Furthermore, implementations of the subject matter and thefunctional operations described in this specification can be implementedin digital electronic circuitry, or in computer software, firmware, orhardware, including the structures disclosed in this specification andtheir structural equivalents, or in combinations of one or more of them.Implementations of the subject matter described in this specificationcan be implemented as one or more computer program products, i.e., oneor more modules of computer program instructions encoded on a computerreadable medium for execution by, or to control the operation of, dataprocessing apparatus. The computer readable medium can be amachine-readable storage device, a machine-readable storage substrate, amemory device, a composition of matter affecting a machine-readablepropagated signal, or a combination of one or more of them. The term“data processing apparatus” encompasses all apparatus, devices, andmachines for processing data, including by way of example a programmableprocessor, a computer, or multiple processors or computers. Theapparatus can include, in addition to hardware, code that creates anexecution environment for the computer program in question, e.g., codethat constitutes processor firmware, a protocol stack, a databasemanagement system, an operating system, or a combination of one or moreof them. A propagated signal is an artificially generated signal, e.g.,a machine-generated electrical, optical, or electromagnetic signal thatis generated to encode information for transmission to suitable receiverapparatus.

A computer program (also known as a program, software, softwareapplication, script, or code) can be written in any form of programminglanguage, including compiled or interpreted languages, and it can bedeployed in any form, including as a standalone program or as a module,component, subroutine, or other unit suitable for use in a computingenvironment. A computer program does not necessarily correspond to afile in a file system. A program can be stored in a portion of a filethat holds other programs or data, e.g., one or more scripts stored in amarkup language document, in a single file dedicated to the program inquestion, or in multiple coordinated files, e.g., files that store oneor more modules, subprograms, or portions of code. A computer programcan be deployed to be executed on one computer or on multiple computersthat are located at one site or distributed across multiple sites andinterconnected by a communication network.

The processes and logic flows described in this specification can beperformed by one or more programmable processors executing one or morecomputer programs to perform functions by operating on input data andgenerating output. The processes and logic flows can also be performedby, and apparatus can also be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) or an ASIC(application specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor will receive instructions and data from a read only memory ora random-access memory or both. The essential elements of a computer area processor for performing instructions and one or more memory devicesfor storing instructions and data. Generally, a computer will alsoinclude, or be operatively coupled to receive data from or transfer datato, or both, one or more mass storage devices for storing data, e.g.,magnetic, magneto-optical disks, or optical disks. However, a computerneed not have such devices. Moreover, a computer can be embedded inanother device, e.g., a mobile telephone, a personal digital assistant(PDA), a mobile audio player, a Global Positioning System (GPS)receiver, to name just a few. Computer readable media suitable forstoring computer program instructions and data include all forms ofnonvolatile memory, media and memory devices, including by way ofexample semiconductor memory devices, e.g., EPROM, EEPROM, and flashmemory devices; magnetic disks, e.g., internal hard disks or removabledisks; magneto optical disks; and CDROM and DVD-ROM disks. The processorand the memory can be supplemented by, or incorporated in, specialpurpose logic circuitry.

To provide for interaction with a user, implementations of the subjectmatter described in this specification can be implemented on a computerhaving a display device, e.g., a CRT (cathode ray tube) or LCD (liquidcrystal display) monitor, for displaying information to the user and akeyboard and a pointing device, e.g., a mouse or a trackball, by whichthe user can provide input to the computer. Other kinds of devices canbe used to provide for interaction with a user as well; for example,feedback provided to the user can be any form of sensory feedback, e.g.,visual feedback, auditory feedback, or tactile feedback; and input fromthe user can be received in any form, including acoustic, speech,tactile or near-tactile input.

Implementations of the subject matter described in this specificationcan be implemented in a computing system that includes a backendcomponent, e.g., as a data server, or that includes a middlewarecomponent, e.g., an application server, or that includes a frontendcomponent, e.g., a client computer having a graphical user interface ora Web browser through which a user can interact with an implementationof the subject matter described in this specification, or anycombination of one or more such backend, middleware, or frontendcomponents. The components of the system can be interconnected by anyform or medium of digital data communication, e.g., a communicationnetwork. Examples of communication networks include a local area network(“LAN”) and a wide area network (“WAN”), e.g., the Internet.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other.

While this specification contains many specifics, these should not beconstrued as limitations on the scope of the disclosure or of what maybe claimed, but rather as descriptions of features specific toparticular implementations of the disclosure. Certain features that aredescribed in this specification in the context of separateimplementations can also be implemented in combination in a singleimplementation. Conversely, various features that are described in thecontext of a single implementation can also be implemented in multipleimplementations separately or in any suitable sub-combination. Moreover,although features may be described above as acting in certaincombinations and even initially claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claimed combination may be directed to asub-combination or variation of a sub-combination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the implementations described above should not beunderstood as requiring such separation in all implementations, and itshould be understood that the described program components and systemscan generally be integrated together in a single software product orpackaged into multiple software products.

The various aspects, features, embodiments or implementations of theinvention described above can be used alone or in various combinations.The many features and advantages of the present invention are apparentfrom the written description and, thus, it is intended by the appendedclaims to cover all such features and advantages of the invention.Further, since numerous modifications and changes will readily occur tothose skilled in the art, the invention should not be limited to theexact construction and operation as illustrated and described. Hence,all suitable modifications and equivalents may be resorted to as fallingwithin the scope of the invention.

What is claimed is:
 1. A computing system that includes one or moreprocessors configured to execute computer executable code, wherein theone or more processors are further configured to: obtain, from a server,a redirected request for service from the server, wherein the redirectedrequest for service is an initial request for service made by a clientto the sever for one or more services of the server; obtain at leastauthentication credentials of the client, wherein the authenticationcredentials of the client are needed to verify the identity of theclient; generate a first token based at least on the authenticationcredentials of the client, wherein the first token includesauthentication information associated with the client that indicatesthat the identity of the client has been verified; and provide the firsttoken to the client, thereby allowing the client to send the first tokento the server to indicate that the identity of the client has beenverified at least partly based on the authentication information.
 2. Thecomputing system of claim 1, wherein the one or more processors arefurther configured to: verify the identity of the client based on theobtained authentication credentials of the client.
 3. The computingsystem of claim 1, wherein the one or more processors are furtherconfigured to: obtain a second token, wherein the second token has beenprovided by the server and requests access to one or more services ofone or more other servers, and generate a third access token, whereinthe third access token includes authorization information allowing theserver to access one or more other services one or more other servers,thereby allowing the server to send the token to the one or more otherservers to indicate that it has been authorized to access the one ormore other services from one or more other servers.
 4. The computingsystem of claim 3, wherein the second token includes the first token andidentifies the server.
 5. The computing system of claim 3, wherein thesecond token is the first token that is signed by the server.
 6. Thecomputing system of claim 1, wherein the one or more processors arefurther configured to: request the authentication credentials from theclient, and send the first token to the client.
 7. The computing systemof claim 1, wherein the server is a database server configured toprovide access to one database services of a database.
 8. Acomputer-implemented method of providing security in a computingenvironment that includes at least one client and at least one serverconfigured to provide one or more services, wherein thecomputer-implemented method is implemented at least partially by one ormore physical processers configured to process executable computer code,and wherein the computer-implemented method comprises: obtaining, fromthe server, a redirected request for service, wherein the redirectedrequest for service is an initial request for service made by the clientto the sever for one or more services of the server, obtaining at leastauthentication credentials of the client, wherein the authenticationcredentials of the client are needed to verify the identity of theclient; generating a first token based at least on the authenticationcredentials of the client, wherein the first token includesauthentication information associated with the client and indicates thatthe identity of the client has been verified; and providing the firsttoken to the client, thereby allowing the client to send the first tokento the server to indicate that the identity of the client has beenverified.
 9. The computer-implemented method of claim 8, wherein thecomputer-implemented method further comprises: verifying the identity ofthe client based on the obtained authentication credentials of theclient.
 10. The computer-implemented method of claim 8, wherein thecomputer-implemented method further comprises: obtaining a second token,wherein the second token has been provided by the server and requestsaccess to one or more services of one or more other servers in thecomputing environment; and generating a third token, wherein the thirdtoken includes authorization information allowing the server to accessone or more other services of the one or more other servers, therebyallowing the server to send the third token to the one or more otherservers to indicate that it has been authorized to access the one ormore other services from one or more other servers.
 11. Thecomputer-implemented method of claim 10, wherein the second tokenincludes the first token and identifies the server.
 12. Thecomputer-implemented method of claim 10, wherein the second token is thefirst token that is signed by the server.
 13. The computer-implementedmethod of claim 8, wherein the computer-implemented method furthercomprises: requesting the authentication credentials from the client,and sending the first token to the client.
 14. The computer-implementedmethod of claim 8, wherein the server is a database server configured toprovide access to one database services of a database.
 15. Anon-transitory computer readable storage medium storing at leastexecutable code that when executed provides security in a computingenvironment that includes at least one client and at least one serverconfigured to provide one or more services, and wherein the executablecode when executed further: obtains, from the server, a redirectedrequest for service, wherein the redirected request for service is aninitial request for service made by the client to the sever for one ormore services of the server; obtains at least authentication credentialsof the client, wherein the authentication credentials of the client areneeded to verify the identity of the client; generates a first tokenbased at least on the authentication credentials of the client, whereinthe first token includes authentication information associated with theclient and indicates that the identity of the client has been verified;and provides the first token to the client, thereby allowing the clientto send the first token to the server to indicate that the identity ofthe client has been verified.
 16. The non-transitory computer readablestorage medium of claim 15, wherein the executable code when executedfurther: verifies the identity of the client based on the obtainedauthentication credentials of the client.
 17. The non-transitorycomputer readable storage medium of claim 15, wherein the executablecode when executed further: obtains a second token, wherein the secondtoken has been provided by the server and requests access to one or moreservices of one or more other servers in the computing environment; andgenerates a third token, wherein the third token includes authorizationinformation allowing the server to access one or more other services ofthe one or more other servers, thereby allowing the server to send thethird token to the one or more other servers to indicate that it hasbeen authorized to access the one or more other services from one ormore other servers.
 18. The non-transitory computer readable storagemedium of claim 17, wherein the second token includes the first tokenand identifies the server.
 19. The non-transitory computer readablestorage medium of claim 17, wherein the second token is the first tokenthat is signed by the server.
 20. The non-transitory computer readablestorage medium of claim 17, wherein the executable code when executedfurther: requests the authentication credentials from the client, andsends the first token to the client.